This health reform alert summarizes the key changes to the Notice of Privacy Practices ("NPP")[1] requirements in the revised Health Insurance Portability and Accountability Act ("HIPAA") regulations (the "Omnibus Rule")[2] as well as what covered entities need to do to be compliant.[3] Because many covered entities may have modified their NPPs based on the Notice of Proposed Rulemaking issued on July 14, 2010 ("NPRM"),[4] this alert also details the similarities and differences between the NPRM and the Omnibus Rule related to NPPs. In addition, Table 1 of this alert provides a quick summary of the NPRM proposals adopted—or not adopted—by the Omnibus Rule.

As covered entities work toward compliance, they should keep in mind that the Omnibus Rule becomes effective on March 26, 2013, but the deadline for compliance is September 23, 2013.

Key Changes to NPP Content

1. Description of Uses and Disclosures Requiring Authorization

In the NPRM, the U.S. Department of Health and Human Services ("HHS") proposed amending 45 C.F.R. § 164.520(b)(1)(ii)(E) of the HIPAA Privacy Rule to require that NPPs include information regarding certain types of uses and disclosures of protected health information ("PHI") that require an authorization under Sections 164.508(a)(2) through (a)(4). These include (1) most uses and disclosures of psychotherapy notes, (2) uses and disclosures of PHI for marketing purposes, and (3) disclosures that constitute a sale of PHI. The NPRM also proposed requiring that a NPP contain a statement that other uses and disclosures not described in the NPP will be made only with an individual's authorization.

The Omnibus Rule finalizes the proposed modifications in full. Furthermore, the preamble of the Omnibus Rule (the "Preamble") provides several clarifications in response to comments to the NPRM. First, the Preamble clarifies that a NPP need not list all situations regarding authorization. Second, a NPP does not need to include a description of a covered entity's recordkeeping practices with respect to psychotherapy notes. Third, covered entities that do not record or maintain psychotherapy notes are not required to include a statement about the authorization requirement for uses and disclosures of psychotherapy notes.

2. Separate Statements for Certain Uses and Disclosures

The NPRM proposed modifying 45 C.F.R. § 164.520(b)(1)(iii), which requires a covered entity to include in its NPP separate statements about certain activities if the covered entity intends to engage in any of those activities. First, the NPRM proposed requiring a health care provider that has received financial remuneration for sending individuals treatment communications to notify individuals, through its NPP, of its intent to send these communications. Moreover, the NPRM proposed that covered entities would also be required to notify individuals of their right to opt out of receiving such communications. The Omnibus Rule does not adopt these requirements regarding treatment communications. Since the Omnibus Rule treats subsidized treatment communications as marketing communications (with some exceptions), covered entities will not be required to include a statement in their NPPs about such communications and an individual's ability to opt out.

Second, the NPRM also proposed that a covered entity intending to contact an individual to raise funds must inform the individual of its intention and the individual's right to opt out of receiving such communications. The Omnibus Rule adopts these requirements pertaining to fundraising communications. However, it should be noted that, with regard to such communications, a NPP is not required to include the mechanism for individuals to opt out.

Third, pursuant to both HIPAA and the Genetic Information Nondiscrimination Act,[5] HHS published a separate notice of proposed rulemaking on October 7, 2009. This proposed rule required health plans intending to use or disclose PHI for underwriting purposes to include a statement in their NPPs that they are prohibited from using or disclosing an individual's genetic information for such purposes. The Omnibus Rule adopts this requirement but exempts long-term care policy issuers.[6]

3. Enhanced Patient Rights

The NPRM proposed to amend 45 C.F.R. § 164.520(b)(1)(iv)(A) to require inclusion of a statement in NPPs explaining that the covered entity must agree to a request to restrict disclosure of PHI to a health plan if the disclosure is for payment or health care operations and pertains to a health care item or service for which the individual has paid out of pocket in full. The Omnibus Rule adopts this proposal, but the Preamble clarifies that the requirement applies only to health care providers. The Preamble also notes that other types of covered entities may keep existing language specifying that they are not required to agree to a requested restriction.[7]

The Omnibus Rule also requires that covered entities revise their NPPs to address other modifications made to an individual's rights, including, but not limited to, the right to receive electronic copies of health information.[8]

4. Breach Notification Obligations

With regard to new breach notification obligations under Subpart D of Part 164, the NPRM requested comment on whether the Privacy Rule should require a specific statement regarding this new legal duty.

The Omnibus Rule requires covered entities to include in their NPPs a statement of affected individuals' notification rights after a breach of unsecured PHI. The Preamble clarifies that a covered entity will meet this requirement by including a simple statement that an individual has a right to, or will receive, notifications of breaches of his or her unsecured PHI. However, the Omnibus Rule does not prescribe the specific contents of such a statement, and the Preamble notes that the statement does not have to be entity-specific or describe the types of information to be provided in the breach notification.[9]

5. Appointment Reminders and Alternatives

Interestingly, the Omnibus Rule removes the requirement that a NPP include a statement that the covered entity may contact the individual to provide appointment reminders or information about treatment alternatives or other benefits and services that may be of interest to the individual.[10] After March 26, 2013, covered entities will no longer be required to include this statement in their NPPs, but may continue to do so if they wish.

Posting and Distribution

Under the Privacy Rule, whenever there is a material change to a NPP, a covered entity must promptly revise and distribute its NPP. The Omnibus Rule confirms that the required amendments constitute material changes necessitating revision and redistribution of NPPs. Further, the Omnibus Rule provides for certain distribution requirements based on the type of covered entity.

A health plan that currently posts its NPP on its website must (1) prominently post the change or its revised NPP on its website by September 23, 2013 (the compliance date), and (2) provide the revised NPP, or information about the material change and how to obtain the revised NPP, in its next annual mailing to individuals then covered by the plan.[11] Health plans that do not have customer service websites must provide the revised NPP, or information about the material change and how to obtain the revised NPP, to individuals covered by the plan within 60 days of the material revision.[12]

The Omnibus Rule does not modify current requirements for health care providers to distribute NPP revisions.[13] Therefore, when a health care provider with a direct treatment relationship with an individual revises its NPP, the provider must make the NPP available upon request on or after the effective date of the revision.[14] Moreover, the provider must make the NPP available at the service delivery site and post the NPP in a clear and prominent location.[15] The Preamble clarifies that a health care provider is required to give a copy of its NPP only to new patients—and not all individuals seeking treatment.[16]

Impact of Noncompliance by September 23, 2013

Noncompliance with the new NPP requirements could subject covered entities to government investigations, increased civil monetary penalties, resolution agreements, and complaints from patients and beneficiaries. As the Omnibus Rule affects individual rights, covered entities should be cognizant that failure to comply with the NPP requirements may be highly visible by patients and beneficiaries and can result in greater scrutiny by the HHS Office of Civil Rights, the agency with enforcement authority under HIPAA. Therefore, covered entities should make sure to evaluate the content and distribution practices of their NPPs and determine if any changes are necessary to comply with the Omnibus Rule.

Table 1 — Summary of Key Changes to NPP Requirements: Which NPRM Proposals Were Adopted (or Not Adopted) by the Omnibus Rule?

NPRM

Omnibus Rule

Uses and Disclosures of PHI Requiring Authorization — NPPs must include information regarding certain types of uses and disclosures of PHI that require an authorization.

Adopted.

Treatment Communications — A health care provider that has received financial remuneration for sending individuals treatment communications must notify individuals, through its NPP, of its intent to send these communications. Covered entities must notify individuals of their right to opt out of receiving such communications.

Not adopted.

Fundraising — A covered entity that intends to contact an individual to raise funds must inform the individual of its intention and the individual's right to opt out of receiving such communications.

Adopted.

Use or Disclose of PHI for Underwriting Purposes — Health plans intending to use or disclose PHI for underwriting purposes must include a statement in their NPPs that they are prohibited from using or disclosing PHI that is an individual's genetic information for such purposes.

Adopted, but long-term care policy issuers are exempted.

Restrictions on Disclosure of PHI to Health Plan — NPPs must have a statement explaining that the covered entity must agree to a request to restrict disclosure of PHI to a health plan if the disclosure is for payment or health care operations and pertains to a health care item or service for which the individual has paid out of pocket in full.

[1] Under 45 C.F.R. § 164.520, most covered entities must have and distribute a NPP describing (1) the uses and disclosures of protected health information that a covered entity may make, (2) the covered entity's legal duties and privacy practices with respect to protected health information, and (3) the individual's rights concerning protected health information.